From owner-freebsd-security Thu Sep 7 15:37: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 81D9637B422; Thu, 7 Sep 2000 15:36:59 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA25970; Thu, 7 Sep 2000 15:36:59 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 7 Sep 2000 15:36:59 -0700 (PDT) From: Kris Kennaway To: =?iso-8859-1?Q?Iv=E1n?= Arce Cc: freebsd-security@freebsd.org Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <39B81932.F5832679@core-sdi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 8 Sep 2000, [iso-8859-1] Iv=E1n Arce wrote: > No, the proper fix is to=20 > 1. Ensure that SUID programs dont follow user directives of where > to take messages with catgets() from. (This is done on > FreeBSD base system) > =20 > AND >=20 > 2. to ensure that unchecked user suplied data is not passed > to printf() functions as the fmt argument. >=20 > If instead of doing printf(catgets("foo")) you > do printf("%s",catgets("foo")) the problem does not appear. We're actually talking about something different here. It's only indirectly related to setuid programs and format strings - the real issue is sudo filtering the environment of the program it runs with privileges on behalf of the user. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message